The current open connectivity nature of the Internet has been plagued by security problems such as host compromise, Distributed Denial-of-Service (DDoS) attacks, worms, etc. . . . In order to tackle these vulnerabilities architectural modifications to networks have been proposed. Each of these proposals has their own drawbacks, however.
Two examples of such proposals are known as “filtering” and “capability” based solutions. A filtering-based solution satisfies some key design issues related to network vulnerability, such as network-based access control, pooling of resources and limited attack isolation, but not others, such as mobility friendliness and scalability. On the other hand, capability-based solutions such as Traffic Validation Architecture (TVA) satisfies the issues of attack isolation, scalability and limited network-based access control but not mobility friendliness or pooling of resources. Further, though TVA builds DDoS resiliency into the IP layer thereby narrowing the attack vulnerability window to a small fraction of the forwarding bandwidth, this still allows a DDoS attacker to arbitrarily delay access to legitimate sources.
Accordingly, it is desirable to provide solutions that make Internet based networks less vulnerable. Further, it is desirable to provide solutions that satisfy all of the key design issues related to network vulnerability (i.e., decreasing a network's vulnerability), namely, network-based access control, pooling of resources, attack isolation, mobility friendliness and scalability.